The European General Data Protection Regulation represents the most significant change to data protection in the UK and EU since 1995. Once adopted, it will have the force of law across all 27 EU states, giving uniformity of data protection laws across all member states and significantly increasing penalties for non-compliance. The ISF, working with its members, has identified the top five actions to take.
1 - Get your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time.
2 - Form a governance group that oversees all your privacy activities, led by a senior manager or executive. If you have over 250 employees, appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s annual report.
Read more about the European General Data Protection Regulation
- The proposed EU data protection regulation and its impact on cloud users
- EC data regulation will disrupt UK e-economy, warn lawyers
- European Commission data protection proposals draw hostile reaction
- Data protection regulators will increase focus on HR systems
- Big changes expected as EC publishes data protection review
3 - Implement a breach notification process and enhance your incident management processes and your detection and response capabilities. Any data breach must be notified to the relevant data protection authority, even if protective measures, such as encryption, are in place; or the likelihood of harm is low.
4 - Prepare your organisation to fulfil the "right to be forgotten", "right to erasure" and the "right to data portability". A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required – and it should cover all mechanisms by which data is collected, including the internet, call centres and paper.
5 - Create and enforce privacy throughout your systems' lifecycles to meet the "privacy by design" requirement, whether you buy or develop. This will ensure privacy controls are stronger, simpler to implement, harder to by-pass and totally embedded in a system’s core functionality.
Adrian Davis is a principal analyst at the Information Security Forum (ISF)
This was first published in March 2012